Sec-Fetch-User

Baseline 2023

Newly available

Since March 2023, this feature works across the latest devices and browser versions. This feature might not work in older devices or browsers.

The Sec-Fetch-User fetch metadata request header is only sent for requests initiated by user activation, and its value will always be ?1.

A server can use this header to identify whether a navigation request from a document, iframe, etc., was originated by the user.

Header type Fetch Metadata Request Header
Forbidden header name yes (prefix Sec-)
CORS-safelisted request header no

Syntax

http
Sec-Fetch-User: ?1

Directives

The value will always be ?1. When a request is triggered by something other than a user activation, the spec requires browsers to omit the header completely.

Examples

If a user clicks on a page link to another page on the same origin, the resulting request would have the following headers:

http
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

Specifications

Specification
Fetch Metadata Request Headers
# sec-fetch-user-header

Browser compatibility

BCD tables only load in the browser

See also